A collection of resources for Windows kernel development, exploitation, analysis, and security. Suitable for beginners to experts, this compilation covers a wide range of topics including driver development, reverse engineering, vulnerability research, and Windows internals.
If I'm missing anything, please let me know in the comments. I will add it!
@offby1security stream :: free advanced content
https://pbs.twimg.com/media/GTSrvwPaYAMW71M?format=jpg&name=900x900
There are so many incredible videos here, far too many to list. Every Friday, they stream something new, I would recommend joining them on YouTube! h/t @Steph3nSims
- https://www.youtube.com/@OffByOneSecurity
- https://www.youtube.com/@OffByOneSecurity/streams
- A Look at Modern Windows Kernel Exploitationwith Connor McGarr @33y0re
- Emulating Obfuscated Codewith @herrcore From OALABS
- Creative Windows Evasion and Forensicswith @yarden_shafir
@OpenSecTraining OpenSecurityTraining2 :: free certification quality content
https://pbs.twimg.com/media/GTSey-BaYAQvdAm?format=png&name=small
Everything is FREE! h/t @XenoKovah
Prerequisite knowledge.
These should be taken in the order they are presented here.
- Architecture 1001: x86-64 Assembly
- Debuggers 1011: Introductory WinDbg
- Debuggers 2011: Intermediate WinDbg
- Debuggers 3011: Advanced WinDbg
- Reverse Engineering 3011: Reversing C++ Binaries
- Architecture 2821: Windows Kernel Internals 2 - With @saidelike
- Exploitation 4011: Windows Kernel Exploitation: Race Condition + UAF in KTM - With @saidelike
@vxunderground Windows Papers
https://pbs.twimg.com/media/GTSaLd6aYAAFHwd?format=png&name=small
Collection of the best papers online.
- https://vx-underground.org/Papers/Windows/
- Analysis and Internals
- Kernel Mode
- Network Communications
- Process Injection
- System Components and Abuse
- Windows Internals Series
https://pbs.twimg.com/media/GTS5eTvaYAMqV5M?format=png&name=small
There are currently four issues. Every single issue is pure alpha. Words do not exists for how good this zine is. You'll have to search through it to find Windows resources. They have plenty :)
https://pbs.twimg.com/media/GTSdwhoaYAEzTWk?format=jpg&name=900x900
God tier tutorials!
- https://www.patreon.com/oalabs 10/10 Patreon content!
- https://www.youtube.com/@OALABS
@offsectraining Offsec Certifications
https://pbs.twimg.com/media/GTS56D2aYAQcEJB?format=png&name=360x360
- https://www.offsec.com/
- https://www.offsec.com/resources/whitepaper/
- EXP-301: Windows User Mode Exploit Development
- EXP-401: Advanced Windows Exploitation
Software Engineer, Malware Analyst. One of the most skilled individuals in the industry.
https://pbs.twimg.com/media/GTS9N7qasAAo_Mt?format=jpg&name=small
- https://hasherezade.github.io/
- https://hasherezade.github.io/articles.html
- https://speakerdeck.com/hshrzd
Duncan Ogilvie @mrexodia
Reverse engineer, creator of @x64dbg rad content!
- https://github.com/mrexodia
- https://x64dbg.com/
- Windows Internals Crash Course
- https://www.youtube.com/@mrexodia
@LowLevelTweets Low Level Learning
Bro is cracked. Lots of amazing content.
- https://connormcgarr.github.io/ @33y0re
- https://www.x86matthew.com/ @x86matthew
- https://secret.club/ @the_secret_club
- https://j00ru.vexillium.org/ @j00ru
- https://h0mbre.github.io/ @h0mbre_
- http://blog.rewolf.pl/blog/ @rwfpl
- https://www.ired.team/
- https://googleprojectzero.blogspot.com
- :: Detailed analysis of kernel shellcode injection techniques https://web.archive.org/web/20201031082416/https://www.fireeye.com/blog/threat-research/2018/04/loading-kernel-shellcode.html
- :: Comprehensive guide to crafting Windows kernel shellcode https://web.archive.org/web/20240620155055/https://www.matteomalvica.com/blog/2019/07/06/windows-kernel-shellcode/
- :: Three-part series on Windows 10-specific kernel shellcode development https://web.archive.org/web/20230904145124/https://improsec.com/tech-blog/windows-kernel-shellcode-on-windows-10-part-1
- :: Exploration of x64 kernel shellcode and SMEP bypass methods https://connormcgarr.github.io/x64-Kernel-Shellcode-Revisited-and-SMEP-Bypass/
- :: In-depth look at token manipulation for privilege escalation https://web.archive.org/web/20240131031335/https://www.ired.team/miscellaneous-reversing-forensics/windows-kernel-internals/how-kernel-exploits-abuse-tokens-for-privilege-escalation
- :: OWASP's introductory guide to shellcode creation https://web.archive.org/web/20230902090123/https://owasp.org/www-pdf-archive/Introduction_to_shellcode_development.pdf
- :: Beginner-friendly Windows shellcode development tutorial series https://web.archive.org/web/20230331070657/https://securitycafe.ro/2015/10/30/introduction-to-windows-shellcode-development-part1/
- :: Analysis of the DoublePulsar SMB backdoor https://web.archive.org/web/20240628025230/https://zerosum0x0.blogspot.com/2017/04/doublepulsar-initial-smb-backdoor-ring.html
- :: Tutorial on shellcode injection techniques https://web.archive.org/web/20240628025230/https://zerosum0x0.blogspot.com/2017/04/doublepulsar-initial-smb-backdoor-ring.html
- :: HITB2016AMS presentation on kernel exploit hunting https://web.archive.org/web/20200830052506/https://www.youtube.com/watch?v=nvI6w8aW-4Q&gl=US&hl=en
- :: Ilja van Sprundel's talk on Windows driver attack surfaces https://web.archive.org/web/20220318065226/https://www.youtube.com/watch?v=qk-OI8Z-1To
- :: REcon 2015 presentation on font exploitation https://web.archive.org/web/20221220204348/https://www.youtube.com/watch?v=uvy5BF1Nlio
- :: Detailed walkthrough of a Windows 10 PagedPool vulnerability https://web.archive.org/web/20240314064102/https://j00ru.vexillium.org/2018/07/exploiting-a-windows-10-pagedpool-off-by-one/
- :: LSE Week 2016 presentation on Windows kernel exploitation https://web.archive.org/web/20200830023723/https://www.youtube.com/watch?v=f8hTwFpRphU&gl=US&hl=en
- :: Two-part tutorial series on CAPCOM.SYS exploitation https://web.archive.org/web/20240124130626/https://www.youtube.com/watch?v=pJZjWXxUEl4
- :: In-depth guide to practical Windows kernel exploitation https://web.archive.org/web/20210525001326/https://www.youtube.com/watch?v=hUCmV7uT29I
- :: Presentation on reverse engineering and bug hunting in KMDF drivers https://web.archive.org/web/20230605131831/https://www.youtube.com/watch?v=puNkbSTQtXY
- :: Historical overview of binary exploit mitigation techniques https://vimeo.com/379935124
- :: Morten Schenk's talk on advanced Windows 10 kernel exploitation https://www.youtube.com/watch?v=Gu_5kkErQ6Y
- :: REcon 2015 presentation on reverse engineering Windows AFD.sys https://web.archive.org/web/20220910152758/https://www.youtube.com/watch?v=Gu_5kkErQ6Y&ab_channel=DEFCONConference
- :: Analysis of Windows kernel graphics driver attack surface https://web.archive.org/web/20240227203704/https://www.youtube.com/watch?v=uzPTyXQ1Oys
- :: TOCTTOU vulnerabilities in Windows kernel font scaler https://web.archive.org/web/20220816032001/https://www.youtube.com/watch?v=61K3kqTRbzU
- :: Black Hat USA 2013 talk on exploiting Windows kernel font scaler https://www.youtube.com/watch?v=efgoislKd8Q
- :: Comprehensive whitepaper on kernel exploit hunting and mitigation https://archive.conference.hitb.org/hitbsecconf2016ams/wp-content/uploads/2015/11/Broderick-Aquilino-and-Wayne-Low-Kernel-Exploit-Hunting-and-Mitigation.pdf
- :: Resource hub for various Windows kernel exploitation techniques https://www.greyhathacker.net/
- :: Detailed analysis of the BlueKeep vulnerability (CVE-2019-0708) https://web.archive.org/web/20240315214615/https://malwaretech.com/2019/09/bluekeep-a-journey-from-dos-to-rce-cve-2019-0708.html
- :: Writeup on exploiting SMBGhost vulnerability (CVE-2020-0796 ) https://web.archive.org/web/20240228162934/https://blog.zecops.com/research/exploiting-smbghost-cve-2020-0796-for-a-local-privilege-escalation-writeup-and-poc/
- :: Google Project Zero's analysis of Windows driver vulnerabilities https://web.archive.org/web/20240619003430/https://googleprojectzero.blogspot.com/2015/10/windows-drivers-are-truely-tricky.html
- :: Microsoft's breakdown of a sophisticated zero-day exploit https://web.archive.org/web/20240423013944/https://www.microsoft.com/en-us/security/blog/2018/07/02/taking-apart-a-double-zero-day-sample-discovered-in-joint-hunt-with-eset/
- :: In-depth look at Windows kernel pool exploitation techniques https://web.archive.org/web/20240304235232/https://srcincite.io/blog/2017/09/06/sharks-in-the-pool-mixed-object-exploitation-in-the-windows-kernel-pool.html
- :: Kernel Exploitation Case Study - "Wild" Pool Overflow on Win10 x64 RS2 (CVE-2016-3309 Reloaded) https://web.archive.org/web/20240118030716/https://www.siberas.de/blog/2017/10/05/exploitation_case_study_wild_pool_overflow_CVE-2016-3309_reloaded.html
- :: Comprehensive guide to kernel pool exploitation on Windows 7 https://web.archive.org/web/20240724173125/https://www.exploit-db.com/docs/english/16032-kernel-pool-exploitation-on-windows-7.pdf
- :: Black Hat USA 2012 whitepaper on Windows kernel exploitation https://web.archive.org/web/20221127013832/https://media.blackhat.com/bh-us-12/Briefings/Cerrudo/BH_US_12_Cerrudo_Windows_Kernel_WP.pdf
- :: F-Secure's analysis of CVE-2014-4113 exploitation https://web.archive.org/web/20220401111828/https://labs.f-secure.com/assets/BlogFiles/mwri-lab-exploiting-cve-2014-4113.pdf
- :: Pwn2Own 2014 AFD.sys privilege escalation analysis https://web.archive.org/web/20220401111802/https://www.siberas.de/papers/Pwn2Own_2014_AFD.sys_privilege_escalation.pdf
- :: Breakdown of a Symantec Endpoint Protection zero-day vulnerability https://web.archive.org/web/20240625014935/https://www.offsec.com/vulndev/symantec-endpoint-protection-0day/
- :: Analysis of Windows 10 kernel exploitation mitigation techniques https://web.archive.org/web/20231210112835/https://labs.nettitude.com/blog/analysing-the-null-securitydescriptor-kernel-exploitation-mitigation-in-the-latest-windows-10-v1607-build-14393/
- :: Detailed look at Windows token privileges and exploitation protection https://web.archive.org/web/20220401111814/https://www.exploit-db.com/docs/english/41924-nt!_sep_token_privileges---single-write-eop-protect.pdf
- :: Presentation on the evolution of GDI exploitation in Windows https://www.youtube.com/watch?v=ruuVkTuNUSc
- :: Windows kernel exploitation via GDI objects https://www.youtube.com/watch?v=2chDv_wTymc
- :: Analysis of kernel object abuse lifecycle https://www.youtube.com/watch?v=_u7d9kLdi0c
- :: Presentation on kernel object abuse through type isolation https://www.youtube.com/watch?v=kOV-Y9HcJWM
- :: Case study of CVE-2017-14961 exploitation https://web.archive.org/web/20191220090640/http://theevilbit.blogspot.com/2017/11/turning-cve-2017-14961-ikarus-antivirus.html
- :: Analysis of CVE-2018-8453 used in targeted attacks https://web.archive.org/web/20240723200320/https://securelist.com/cve-2018-8453-used-in-targeted-attacks/88151/
- :: Overview of zero-day exploits used in Operation WizardOpium https://web.archive.org/web/20240721032520/https://securelist.com/the-zero-day-exploits-of-operation-wizardopium/97086/
- :: Advanced techniques for abusing GDI objects in kernel exploitation https://web.archive.org/web/20240721032520/https://securelist.com/the-zero-day-exploits-of-operation-wizardopium/97086/
- :: Core Security's guide to GDI exploitation primitives https://web.archive.org/web/20240222071011/https://www.coresecurity.com/core-labs/articles/abusing-gdi-for-ring0-exploit-primitives
- :: F-Secure's analysis of bitmap-based exploits post-Windows 10 Anniversary Edition https://web.archive.org/web/20220809192145/https://labs.withsecure.com/archive/a-tale-of-bitmaps/
- :: CanSecWest 2017 presentation on Win32k exploitation https://web.archive.org/web/20240513230917/https://www.slideshare.net/CanSecWest/csw2017-peng-qiushefangzhong-win32k-darkcompositionfinnalfinnalrmmark
- :: FuzzySecurity's tutorial on kernel exploitation via GDI bitmap abuse https://web.archive.org/web/20231130174909/https://fuzzysecurity.com/tutorials/expDev/21.html
- :: Black Hat 2011 presentation on kernel attacks through user-mode callbacks https://www.youtube.com/watch?v=EkGDSqpfzgg
- :: Detailed analysis of CVE-2020-1054 https://web.archive.org/web/20220921205303/https://0xeb-bp.com/blog/2020/06/15/cve-2020-1054-analysis.html
- :: Google Project Zero's journey in analyzing a Windows kernel vulnerability https://googleprojectzero.blogspot.com/2020/04/tfw-you-get-really-excited-you-patch.html
- :: Trend Micro's analysis of CVE-2016-7255 exploit in the wild https://web.archive.org/web/20201128172223/https://www.trendmicro.com/en_us/research/16/l/one-bit-rule-system-analyzing-cve-2016-7255-exploit-wild.html
- :: Quarkslab's Win32k type isolation mitigation https://web.archive.org/web/20240117035011/https://blog.quarkslab.com/reverse-engineering-the-win32k-type-isolation-mitigation.html
- :: Kaspersky's analysis of CVE-2018-8589 zero-day exploit https://web.archive.org/web/20240723200321/https://securelist.com/a-new-exploit-for-zero-day-vulnerability-cve-2018-8589/88845/
- :: Microsoft's guide on detecting and mitigating CVE-2017-0005 https://web.archive.org/web/20231220175720/https://www.microsoft.com/en-us/security/blog/2017/03/27/detecting-and-mitigating-elevation-of-privilege-exploit-for-cve-2017-0005/
- :: Trend Micro's exploration of CVE-2015-1701 https://web.archive.org/web/20200928155308/https://www.trendmicro.com/en_us/research/15/e/exploring-cve-2015-1701-a-win32k-elevation-of-privilege-vulnerability-used-in-targeted-attacks.html
- :: NCC Group's analysis of CVE-2015-0057 exploitation https://web.archive.org/web/20220401111822/https://www.nccgroup.com/globalassets/our-research/uk/blog-post/2015-07-07_-_exploiting_cve_2015_0057.pdf
- :: Kaspersky's report on CVE-2019-0859 Win32k zero-day https://web.archive.org/web/20240717010748/https://securelist.com/new-win32k-zero-day-cve-2019-0859/90435/
- :: ESET's analysis of CVE-2019-1132 Windows zero-day exploit https://web.archive.org/web/20231207013235/https://www.welivesecurity.com/2019/07/10/windows-zero-day-cve-2019-1132-exploit/
- :: j00ru's five-part analysis series on Windows kernel local denial-of-service vulnerabilities https://web.archive.org/web/20240414170416/https://j00ru.vexillium.org/2017/02/windows-kernel-local-denial-of-service-1/
- :: j00ru's exploration of Win32k.sys menu vulnerabilities https://web.archive.org/web/20231202115944/https://j00ru.vexillium.org/2013/09/windows-win32k-sys-menus-and-some-close-but-no-cigar-bugs/
- :: Comprehensive guide to Win32k.sys internals https://web.archive.org/web/20160705095035/http://pasotech.altervista.org/windows_internals/Win32KSYS.pdf
- :: DEF CON 27 presentation on kernel exploitation techniques https://www.youtube.com/watch?v=tzWq5iUiKKg
- :: Kaspersky's analysis of privilege escalation in Namco driver https://web.archive.org/web/20240715225810/https://securelist.com/elevation-of-privileges-in-namco-driver/83707/
- :: Detailed walkthrough of CVE-2020-12138 exploitation https://web.archive.org/web/20240704232330/https://h0mbre.github.io/atillk64_exploit/
- :: Analysis of Viper RGB driver privilege escalation vulnerability https://web.archive.org/web/20240120154108/https://www.activecyber.us/activelabs/viper-rgb-driver-local-privilege-escalation-cve-2019-18845
- :: Breakdown of CORSAIR iCUE driver privilege escalation vulnerability https://web.archive.org/web/20240322025023/https://www.activecyber.us/activelabs/corsair-icue-driver-local-privilege-escalation-cve-2020-8808
- :: FuzzySecurity's tutorial on exploiting Razer Synapse driver https://web.archive.org/web/20230402153628/https://fuzzysecurity.com/tutorials/expDev/23.html
- :: Analysis of Dell SupportAssist driver privilege escalation https://web.archive.org/web/20231223102612/http://dronesec.pw/blog/2018/05/17/dell-supportassist-local-privilege-escalation/
- :: ReWolf's exploration of MSI driver vulnerabilities https://web.archive.org/web/20231208213540/http://blog.rewolf.pl/blog/?p=1630
- :: Reading Physical Memory using Carbon Black's Endpoint driver https://web.archive.org/web/20231205030321/https://billdemirkapi.me/reading-physical-memory-using-carbon-black/
- :: ASUS UEFI Update Driver Physical Memory Read/Write https://web.archive.org/web/20240723195544/https://codeinsecurity.wordpress.com/2016/06/12/asus-uefi-update-driver-physical-memory-readwrite/
- :: 14-part playlist on Windows Kernel Programming https://www.youtube.com/watch?v=XUlbYRFFYf0
- :: 19-part playlist on Windows Driver Development https://www.youtube.com/watch?v=T5VtaP-wtkk
- :: Pavel Yosifovich's talk on developing kernel drivers with modern C++ https://www.youtube.com/watch?v=AsSMKL5vaXw
- :: Microsoft's overview of Winsock Kernel https://docs.microsoft.com/en-us/windows-hardware/drivers/network/introduction-to-winsock-kernel
- :: Four-part series on driver development basics https://web.archive.org/web/20240610174757/https://www.codeproject.com/Articles/9504/Driver-Development-Part-1-Introduction-to-Drivers
- :: Microsoft's guide on creating IOCTL requests in drivers https://docs.microsoft.com/en-us/windows-hardware/drivers/kernel/creating-ioctl-requests-in-drivers
- :: Tutorial on Sending Commands From Your Userland Program to Your Kernel Driver using IOCTL https://web.archive.org/web/20210521235856/https://www.ired.team/miscellaneous-reversing-forensics/windows-kernel-internals/sending-commands-from-userland-to-your-kernel-driver-using-ioctl
- :: Pluralsight's three-part course series on Windows Internals https://www.pluralsight.com/courses/windows-internals
- :: Pluralsight's two-part course on Windows 10 internals https://www.pluralsight.com/courses/windows-10-internals-threads-memory-security
- :: Alex Ionescu's presentation on exploiting shared memory objects https://vimeo.com/133292423
- :: Overview of Windows Internals https://www.youtube.com/watch?v=vz15OqiYYXo
- :: Windows 10 Segment Heap internals https://www.youtube.com/watch?v=hetZx78SQ_A
- :: Gilad Bakas' comprehensive talk on Windows Kernel vulnerability research and exploitation https://www.youtube.com/watch?v=aRZ5Wi-NWXs
- :: NIC 5th Anniversary presentation on Windows 10 internals https://youtu.be/ffYiIUOUAUs
- :: Black Hat USA 2012 presentation on Windows 8 Heap Internals https://www.youtube.com/watch?v=XxlzK0CLFN0
- :: Detailed whitepaper on Windows 10 Segment Heap internals https://web.archive.org/web/20240717222948/https://www.blackhat.com/docs/us-16/materials/us-16-Yason-Windows-10-Segment-Heap-Internals-wp.pdf
- :: Comprehensive guide to understanding and finding System Service Descriptor Tables (SSDTs) https://web.archive.org/web/20240208135604/https://www.codeproject.com/Articles/1191465/The-Quest-for-the-SSDTs
- :: Overview of SSDT in Windows x64 kernel https://web.archive.org/web/20210802121624/https://www.ired.team/miscellaneous-reversing-forensics/windows-kernel-internals/glimpse-into-ssdt-in-windows-x64-kernel
- :: Explanation of the Interrupt Descriptor Table (IDT) in Windows https://web.archive.org/web/20210521235927/https://www.ired.team/miscellaneous-reversing-forensics/windows-kernel-internals/interrupt-descriptor-table-idt
- :: The Process Environment Block (PEB) https://web.archive.org/web/20220517152847/https://www.ired.team/miscellaneous-reversing-forensics/windows-kernel-internals/exploring-process-environment-block
- :: The Windows Pool Manager https://web.archive.org/web/20240518231611/https://www.osr.com/nt-insider/2014-issue1/windows-pool-manager/
- :: Tutorial on parsing PE file headers with C++ https://web.archive.org/web/20210725001643/https://www.ired.team/miscellaneous-reversing-forensics/windows-kernel-internals/pe-file-header-parser-in-c++
- :: First part of a series on reversing Windows internals, focusing on handles, callbacks, and object types https://web.archive.org/web/20240324190202/https://rayanfam.com/topics/reversing-windows-internals-part1/
The Windows Driver Kit is the cornerstone of kernel development on Windows. This toolkit includes:
- Driver templates
- Build environments
- Debugging tools
- Documentation
- https://learn.microsoft.com/en-us/windows-hardware/drivers/
- https://learn.microsoft.com/en-us/windows-hardware/drivers/download-the-wdk
For Windows 11 development, use Visual Studio 2022 and WDK 11.
Windows 11 Driver Development Updates
Windows 11 introduced improvements in areas such as camera, print, display, NFC, WLAN, and Bluetooth. For details:
Windows Internals series is unparalleled.
- Detailed explanations of Windows core components
- Insights into system and management mechanisms
- Valuable knowledge for both developers and IT professionals
- https://learn.microsoft.com/en-us/sysinternals/resources/windows-internals
- https://learn.microsoft.com/en-us/sysinternals/resources/
This repository contains:
- Various driver type examples
- Best practice demonstrations
- Regular updates for latest Windows versions
- https://github.com/Microsoft/Windows-driver-samples
Windows 11 supports writing drivers that run on both desktop and other Windows editions with shared interfaces.
WDF libraries simplify high-quality device driver creation. Refer to the WDF driver development guide for comprehensive information.
WinDbg is crucial for Windows kernel development:
- Crash dump analysis
- Real-time driver and kernel debugging
- Complex system behavior understanding
For Windows 11, WinDbg Preview from the Microsoft Store offers an updated interface.
OSR Online is a treasure trove for Windows driver developers.
- Forums for asking questions and sharing knowledge
- Articles and tutorials on various aspects of driver development
- Training courses for those who want structured learning
- https://www.osr.com/developers-blog/
- https://community.osr.com/
This book is amazing.
- Windows kernel programming fundamentals
- Practical examples and exercises
- Windows 10 and 11 kernel features
https://archive.org/details/WindowsNTDeviceDriverDevelopment/page/n215/mode/2up
Microsoft offers introductory driver development exercises:
- Write a UMDF driver based on a template
- Write a KMDF Hello World driver
- Write a KMDF driver based on a template
- Windows Sysinternals Tools: System analysis and troubleshooting
- ReactOS Project: Open-source Windows-compatible OS
- Intel Software Developer Manuals: x86 architecture reference
- Ghidra: NSA's software reverse engineering tool
- The NT Insider: Windows system software development journal
- Rootkits and Bootkits by Alex Matrosov et al.